tried to login but they do not have USE permission or weren't found. Deleting remember me cookie Edited

I'm at a loss on this one.  I have ONE user who can't seem to log into JIRA (server 7.4.3).  They were able to log in back in July, but can't now.  I get the following in the log:

'vandala' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2017-09-05 16:38:42,143 http-nio-80-exec-500 anonymous 998x1090914x1 1ngbs20 10.70.57.20 /login.jsp The user 'vandala' has FAILED authentication. Failure count equals 33

 I've checked their groups - all correct.  I've removed them from all groups and re-added.  Still the same error.  They've changed their active directory password and tried again.  Still not working.  

And yes, I know it "feels" like they're typing the wrong password.  But I've tried their password and can't get it.  And the service desk has changed it and had them try the new one, and still not luck.

All other users are working as expected.  I don't know what else to try.  I have submitted a support ticket, but they're waiting for logs from when the user tries to log in - but the user is on vaca for now.  Thought I'd try the community.  :-)  THANKS!

1 answer

0 votes

Can you tell us the basics of the setup of your user directories?

What directories do you have, and in what order?  I suspect vandala may be duplicated and it's trying to log in as the wrong one...

The order is:

  • JIRA Internal Directory
  • Active Directory server - our Columbus operations
  • Active Directory server - our Lisbon operations
  • Active Directory server - our Cincinnati operations
  • Active Directory server - our London operations

My user would be in the Columbus operations group.  

Don't know if it matters, but he's off shore and would be using VPN to come in and logging into JIRA from that VPN client.  Although we have other users who are coming in that way.

Ok, great.  Can you check if there is a duplicate in the internal directory?  Same login id.

Nope.  The only ID I have in the internal directory is admin.  

I did get a perplexing error early this AM when he tried to log in.  Looks like my Cincinnati domain was having issues syncing and threw this error:

2017-09-25 05:04:27,143 http-nio-80-exec-758 ERROR anonymous 304x652104x1 14fhbvj 10.70.57.20 /login.jsp [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'LUK BIND AD' is not functional during authentication of 'vandala@netjets.com'. Skipped.

What confuses me is that vandala is in the Columbus domain, so why would it care if LUK (Cincinnati) was having issues?

Also, he's been able to log in before.  That's what really confuses me.  Something has changed.  I just can't figure out what!

ScreenShot113.jpg

You're right, Columbus shouldn't care if another domain is failing.  Does vandala only exist in Columbus?

Also, can you try getting the lines of logs above and below the line you gave in the question (only 5 either side at most)

Yep, I checked and he only exists in Columbus.  Here is a chunk between two of his login attempts.  Sorry it's so huge:

2017-09-25 04:42:44,387 Caesium-1-3 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] INCREMENTAL synchronisation complete for directory [ 10200 ] in [ 23977ms ]
2017-09-25 04:42:49,348 Caesium-1-2 INFO ServiceRunner [c.a.c.d.ldap.cache.UsnChangedCacheRefresher] scanned and compared [ 0 ] groups for delete in DB cache in [ 0ms ]
2017-09-25 04:42:49,364 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] removing [ 0 ] groups
2017-09-25 04:42:49,364 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteChangeOperations] removed [ 0 ] groups successfully in [ 0ms ]
2017-09-25 04:42:49,364 Caesium-1-2 INFO ServiceRunner [c.a.crowd.directory.DbCachingRemoteDirectory] INCREMENTAL synchronisation complete for directory [ 10400 ] in [ 28564ms ]
2017-09-25 04:48:43,671 http-nio-80-exec-769 ERROR anonymous 288x652016x1 1gjzfaq 10.70.57.20 /login.jsp [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'LUK BIND AD' is not functional during authentication of 'vandala@netjets.com'. Skipped.
2017-09-25 04:48:43,780 http-nio-80-exec-769 ERROR anonymous 288x652016x1 1gjzfaq 10.70.57.20 /login.jsp [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'vandala@netjets.com'.
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:945)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:87)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:75)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:49)
at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:88)
... 33 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 26 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 23 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.ldap.ConfigurationException: java.naming.provider.url property does not contain a URL; nested exception is javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:111)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:175)
at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:88)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:337)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.searchWithLimitedResults(SpringLdapTemplateWrapper.java:376)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:503)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:464)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:685)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:634)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:620)
at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1119)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:272)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:208)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:186)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:311)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:198)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:75)
... 107 more
Caused by: javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 130 more
2017-09-25 05:04:27,143 http-nio-80-exec-758 ERROR anonymous 304x652104x1 14fhbvj 10.70.57.20 /login.jsp [c.a.c.manager.application.ApplicationServiceGeneric] Directory 'LUK BIND AD' is not functional during authentication of 'vandala@netjets.com'. Skipped.
2017-09-25 05:04:27,642 http-nio-80-exec-758 ERROR anonymous 304x652104x1 14fhbvj 10.70.57.20 /login.jsp [c.a.j.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'vandala@netjets.com'.
com.atlassian.crowd.exception.runtime.OperationFailedException
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:945)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:87)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:75)
at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:49)
at com.atlassian.seraph.auth.DefaultAuthenticator.login(DefaultAuthenticator.java:88)
... 33 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 26 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 23 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.springframework.ldap.ConfigurationException: java.naming.provider.url property does not contain a URL; nested exception is javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:111)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:356)
at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:140)
at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:175)
at org.springframework.ldap.transaction.compensating.manager.TransactionAwareContextSourceProxy.getReadWriteContext(TransactionAwareContextSourceProxy.java:88)
at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:357)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:337)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$9.timedCall(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper$TimedCallable.call(SpringLdapTemplateWrapper.java:146)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.invokeWithContextClassLoader(SpringLdapTemplateWrapper.java:109)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.search(SpringLdapTemplateWrapper.java:334)
at com.atlassian.crowd.directory.ldap.SpringLdapTemplateWrapper.searchWithLimitedResults(SpringLdapTemplateWrapper.java:376)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntitiesWithRequestControls(SpringLDAPConnector.java:503)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchEntities(SpringLDAPConnector.java:464)
at com.atlassian.crowd.directory.SpringLDAPConnector.searchUserObjects(SpringLDAPConnector.java:685)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserWithAttributesByName(SpringLDAPConnector.java:634)
at com.atlassian.crowd.directory.SpringLDAPConnector.findUserByName(SpringLDAPConnector.java:620)
at com.atlassian.crowd.directory.SpringLDAPConnector.authenticate(SpringLDAPConnector.java:1119)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticateAndUpdateInternalUser(DbCachingRemoteDirectory.java:272)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.performAuthenticationAndUpdateAttributes(DbCachingRemoteDirectory.java:208)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.authenticate(DbCachingRemoteDirectory.java:186)
at com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.authenticateUser(DirectoryManagerGeneric.java:311)
at com.atlassian.crowd.manager.application.ApplicationServiceGeneric.authenticateUser(ApplicationServiceGeneric.java:198)
at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:75)
... 107 more
Caused by: javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:78)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:344)
... 130 more
2017-09-25 05:09:43,776 Caesium-1-4 INFO ServiceRunner [c.a.j.p.h.service.ping.RefreshConnectionStatusJobHandler] Running RefreshConnectionStatusJobHandler...
2017-09-25 05:09:44,042 Caesium-1-2 INFO ServiceRunner [c.a.j.p.h.service.connect.InstallGlancesJobHandler] Running InstallGlancesJobHandler...
2017-09-25 05:09:44,042 Caesium-1-2 INFO ServiceRunner [c.a.j.p.h.service.connect.InstallGlancesJobHandler] There is no link to HipChat, no need to install glances.

Given the error of

Caused by: org.springframework.ldap.ConfigurationException: java.naming.provider.url property does not contain a URL; nested exception is javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL

That is a pretty clear indication that there is something wrong with the user directory that Jira is storing.  The KB JIRA drops LDAP configuration - java.naming.provider.url property does not contain a URL  better explains that error and steps you can follow to get around this.  I believe it has you recreating a new user directory with the same settings as the potentially corrupted user directory.   I recommend following the steps in that KB under the Diagnosis section first to make sure this applies to your instance.

 

If you follow those steps to fix this error, and you still have users that cannot login to Jira, then I would recommend following Unable to login to Jira Applications.  

This KB has additional steps to follow where you can turn on additional logging to better understand why users are unable to login to Jira.  But I would try to fix that 'java.naming.provider.url' exception first.

Thanks for that, Andrew.  However, that error is in reference to the Domain that user is NOT in, so I believe that is a red herring.  I don't disagree that I have an issue with that Domain, but my problem is with the ONE user that cannot log into JIRA who is in my Columbus Domain.  These errors today RE the LUK Domain are confusing the issue.  

It is my understanding that turning on the logs 

com.atlassian.jira.login com.atlassian.jira.login.security

will flood my logs, no?  I want to coordinate that with my user so that they can be turned on prior to him attempting a login and then turned off.  I'll let you know what I find after that attempt.

I would agree that you don't want to leave the DEBUG level logging on for those two packages long term.  It would be best to set them up just before this user tries to login and then take a look at the atlassian-jira-security.log file in your JIRAHOME/log/ folder.

Ok, turned com.atlassian.jira.login com.atlassian.jira.login.security to DEBUG. 

2017-09-27 09:12:09,325 analyticsEventProcessor:thread-1 kgangaraju Setting JIRA Auth Context to be 'kgangaraju'
2017-09-27 09:12:09,325 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,654 http-nio-80-exec-862 anonymous 552x881031x1 bd7j3w 10.81.18.58 /rest/greenhopper/1.0/xboard/work/allData.json The cookie header is '760' characters : 'optimizelyEndUserId=oeu1482934706926r0.3486064234731623; __qca=P0-223010390-1482934707743; rxVisitor=1485353515595VBON37SAPLDT4NO83EI75BDPCTC1GI50; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; s_nr=1504102582326-Repeat; __utma=50468150.799443992.1482873239.1503685203.1504102577.38; __utmz=50468150.1503685203.37.21.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __hstc=9489834.365f06d027e4cabcc7fed512036b9c88.1482934709676.1499879167803.1504102584174.34; hubspotutk=365f06d027e4cabcc7fed512036b9c88; _ga=GA1.2.799443992.1482873239; _gid=GA1.2.420850058.1506453916; JSESSIONID=127244E4D175CCD4C458D56D78FDB2AE; atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|63bf8f0c385fb1859874640400b4b57cf973e749|lin; jira.editor.user.mode=wysiwyg'.
2017-09-27 09:12:09,891 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login The cookie header is '131' characters : 'atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|2ba8f7f483186f98471cd9a4e497e78e265b430f|lout; JSESSIONID=286DF7CDB4DF8E4B25AE0EF009F5E109'.
2017-09-27 09:12:09,907 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,907 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login login : 'vandala' tried to login but they do not have USE permission or weren't found. Deleting remember me cookie.
2017-09-27 09:12:09,907 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,922 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,922 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,938 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,938 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,969 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,969 analyticsEventProcessor:thread-1 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login The user 'vandala' has FAILED authentication. Failure count equals 49
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@731e243[reason=AUTHENTICATED_FAILED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@234f1a57[lastLoginTime=1497453769572,previousLoginTime=1494251526021,loginCount=64,currentFailedLoginCount=49,totalFailedLoginCount=55,lastFailedLoginTime=1506517929907,elevatedSecurityCheckRequired=false,maxAuthenticationAttemptsAllowed=300],userName=vandala,deniedReasons=[]]
2017-09-27 09:12:10,047 http-nio-80-exec-844 anonymous 552x881033x1 1mkqzmt 10.81.18.76 /rest/api/1.0/menus/greenhopper_menu The cookie header is '711' characters : 'optimizelyEndUserId=oeu1482331331335r0.7919635355681773; __qca=P0-553155517-1482331332791; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; __hstc=9489834.857a454fa590d39ae84f415d1c4d801a.1482331333009.1482331333009.1495048673323.2; hubspotutk=857a454fa590d39ae84f415d1c4d801a; s_fid=4E34C13728EBCCBA-19CE4E9506800E93; s_nr=1505409667550-New; __utma=50468150.791325845.1481830887.1502739867.1505409668.8; __utmz=50468150.1502739867.7.7.utmcsr=flydev.netjets.com|utmccn=(referral)|utmcmd=referral|utmcct=/Welcome/; _ga=GA1.2.791325845.1481830887; jira.editor.user.mode=wysiwyg; JSESSIONID=22225AEB9BFB214856E1EEF42D078C4D; atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|b050cd72c9a378774c69a90a9398b3eddb862d10|lin'.
2017-09-27 09:12:10,094 Navlink Plugin Executor:thread-7 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:10,094 Navlink Plugin Executor:thread-7 anonymous Setting JIRA Auth Context to be 'anonymous'
2017-09-27 09:12:10,125 http-nio-80-exec-850 anonymous 552x881034x1 bd7j3w 10.81.18.58 /rest/dev-status/1.0/issue/summary The cookie header is '760' characters : 'optimizelyEndUserId=oeu1482934706926r0.3486064234731623; __qca=P0-223010390-1482934707743; rxVisitor=1485353515595VBON37SAPLDT4NO83EI75BDPCTC1GI50; optimizelySegments=%7B%7D; optimizelyBuckets=%7B%7D; s_nr=1504102582326-Repeat; __utma=50468150.799443992.1482873239.1503685203.1504102577.38; __utmz=50468150.1503685203.37.21.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __hstc=9489834.365f06d027e4cabcc7fed512036b9c88.1482934709676.1499879167803.1504102584174.34; hubspotutk=365f06d027e4cabcc7fed512036b9c88; _ga=GA1.2.799443992.1482873239; _gid=GA1.2.420850058.1506453916; JSESSIONID=127244E4D175CCD4C458D56D78FDB2AE; atlassian.xsrf.token=BS0B-PWKG-2TLT-KNYW|63bf8f0c385fb1859874640400b4b57cf973e749|lin; jira.editor.user.mode=wysiwyg'.
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login The user 'vandala' has FAILED authentication. Failure count equals 49
2017-09-27 09:12:09,969 http-nio-80-exec-886 anonymous 552x881032x1 1miwtnr 10.70.57.20 /rest/gadget/1.0/login Gadget login called with lastLoginResult : com.atlassian.jira.bc.security.login.LoginResultImpl@731e243[reason=AUTHENTICATED_FAILED,loginInfo=com.atlassian.jira.bc.security.login.LoginInfoImpl@234f1a57[lastLoginTime=1497453769572,previousLoginTime=1494251526021,loginCount=64,currentFailedLoginCount=49,totalFailedLoginCount=55,lastFailedLoginTime=1506517929907,elevatedSecurityCheckRequired=false,maxAuthenticationAttemptsAllowed=300],userName=vandala,deniedReasons=[]]


That 'AUTHENTICATED_FAILED' just tells us this username/password failed to login to that LDAP instance.   The most common reason is that the password doesn't match the username.  But this isn't the only reason. Unable to login to Jira Applications lists the other possible causes:

  • Check their login/password.
  • For LDAP users, this could happen when the user is created in Active Directory/LDAP with the setting to change password on first login and then the users login to JIRA before logging into a different system or Windows and change their password. The resolution would be to request the user to login to another system and change their password or ensure they do not need to reset their password on next login.
  • In Active Directory, the LDAP server is not listed in the Log On To list for the particular user (User Properties > Account > Log On To...)

(info) If a specific group of users are having this error consistently, it could be caused by the ldap.user.dn - A group of users are not able to login due to AUTHENTICATED_FAILED error

 

So if we rule out all of these possible causes list above here, I think the next steps would be to recreate the User directory in Jira once more.  Which would be the same steps to follow to fix the other error.   I am not yet convinced the other KB of JIRA drops LDAP configuration - java.naming.provider.url property does not contain a URL isn't the cause of this problem yet.

Even though you stated this user does not exist in that other user directory, if that directory in Jira has become corrupted in Jira's database, and Jira believes that username exists in a higher ordered directory, Jira will only allow the user to login to the highest ordered directory where that username exists.

I haven't been able to redo that configuration, but I was able to disable it and the other configurations, leaving only my Columbus config and he still cannot log in and gets the same error.  I'm at a loss at this point.  

As an update - Atlassian had me forcibly delete the user from our database, resync with Active Directory and see if that fixed things.  It DIDN'T!  Anyone else have thoughts??  

One more update.  The same user is not able to log into our Confluence site either.  When trying to log in to either JIRA or Confluence, they get the "username or password incorrect" error.  

Another interesting tidbit is that we just changed his password and attempted to log in from onsite with the newly change password and also get the same username/pw error...

Thoughts?

Hi Mary,

We use the same version 7.4.3, and one of our user is not able to connect.

Do you manage to solve this issue ?

Regards,

This turned out to be a configuration issue for the user on our Active Directory side.  Had nothing to do with JIRA.

Are you able to elaborate on the config issue? I've just run into this, and the suggestions in this thread aren't making any difference.

@Mary Wilson can you elaborate on the config issue? We have the same problem with one of our users and cant figure it out.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Thursday in Jira

Continuous visibility with the new Jira Software Cloud and Bitbucket Cloud integration

Hey Atlassian community, I am a PM on the Bitbucket Cloud team and I am excited to share that we just released an improvement to the Jira Software and Bitbucket Cloud integration. With the newly im...

75 views 0 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you